Data Processing Agreement

Last updated: 7 April 2026

This Data Processing Agreement ("DPA") forms part of the Cadu Terms of Service ("Terms") between Cadu ("we", "us", "Processor") and the customer who has accepted those Terms ("you", "Customer", "Controller"). It applies whenever Cadu processes Personal Data on your behalf in the course of providing the service.

This DPA is designed to satisfy Article 28 of the EU General Data Protection Regulation 2016/679 ("GDPR") and the equivalent provisions of the UK GDPR. By using Cadu, you accept this DPA.

1. Definitions

Capitalised terms used in this DPA have the meanings given to them in the GDPR. In particular:

• Personal Data means any information relating to an identified or identifiable natural person.
• Processing means any operation performed on Personal Data.
• Data Subject means the individual to whom Personal Data relates.
• Controller means the party that determines the purposes and means of Processing — in this DPA, the Customer.
• Processor means the party that Processes Personal Data on behalf of the Controller — in this DPA, Cadu.
• Sub-processor means any third party engaged by Cadu to Process Personal Data on the Customer's behalf.
• Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

2. Scope and roles

Under this DPA, the Customer acts as the Controller and Cadu acts as the Processor with respect to Personal Data submitted to or collected through the Customer's website ("Customer Data"). This includes Personal Data of the Customer's website visitors, such as messages and contact details submitted through forms on the Customer's site.

For clarity, when you (the Customer) sign up for Cadu and use it as an individual, Cadu is the Controller of your own account data (your phone number, message history with Cadu, billing information). That relationship is governed by the Cadu Privacy Policy, not this DPA.

3. Subject matter, duration, nature and purpose of processing

• Subject matter: Provision of the Cadu service — a WhatsApp-based website builder that hosts and serves websites on behalf of Customers.
• Duration: For the term of the Customer's use of Cadu, plus any retention period set out in the Privacy Policy.
• Nature of processing: Hosting, transmitting, storing, and forwarding Personal Data submitted to the Customer's website; processing inbound messages through AI to generate site edits.
• Purpose: To enable the Customer to operate a website and receive communications from its visitors.

4. Categories of Data Subjects and Personal Data

Data Subjects: Visitors to the Customer's website, including individuals who submit contact forms or other communications.

Personal Data: Information voluntarily provided by website visitors, which may include name, email address, telephone number, message content, and any other information visitors choose to submit through forms. Cadu may also process technical data such as IP addresses for security and rate-limiting purposes.

Cadu does not request or require Customers to submit special categories of Personal Data (Article 9 GDPR). Customers should not configure their websites to collect special category data without ensuring an appropriate lawful basis is in place.

5. Cadu's obligations as Processor

Cadu shall:

• 5.1 Process Personal Data only on documented instructions from the Customer, including with regard to transfers of Personal Data to a third country, unless required to do so by law. The Customer's instructions are set out in this DPA, the Terms, and the Customer's use of the Cadu service.
• 5.2 Ensure that persons authorised to Process the Personal Data have committed themselves to confidentiality.
• 5.3 Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Annex 1.
• 5.4 Respect the conditions for engaging Sub-processors set out in Section 6.
• 5.5 Taking into account the nature of the Processing, assist the Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling its obligation to respond to requests from Data Subjects exercising their rights under Articles 15 to 22 of the GDPR.
• 5.6 Assist the Customer in ensuring compliance with its obligations under Articles 32 to 36 of the GDPR (security, breach notification, data protection impact assessments, prior consultation), taking into account the nature of Processing and the information available to Cadu.
• 5.7 At the choice of the Customer, delete or return all Personal Data to the Customer after the end of the provision of services, and delete existing copies, unless retention is required by law.
• 5.8 Make available to the Customer all information necessary to demonstrate compliance with the obligations set out in Article 28 of the GDPR.

6. Sub-processors

The Customer provides general authorisation for Cadu to engage Sub-processors. A current list of Sub-processors is available at cadu.app/sub-processors.

Cadu shall:

• Notify the Customer of any intended additions to or replacements of Sub-processors at least 30 days in advance, by updating the Sub-processors page and (where reasonably practicable) by notification through the Cadu service. The Customer may object to any new Sub-processor on reasonable data protection grounds within that 30-day period.
• Impose on each Sub-processor data protection obligations no less protective than those in this DPA, by way of a written contract.
• Remain fully liable to the Customer for the performance of each Sub-processor's obligations.

If the Customer objects to a new Sub-processor and Cadu cannot reasonably accommodate the objection, the Customer may terminate the affected service by closing their Cadu account. No refund is due for unused subscription time, but the Customer may export their site files via the standard export process before termination.

7. International transfers

Some of Cadu's Sub-processors are located outside the European Economic Area and the United Kingdom, including in the United States. Where Personal Data is transferred to such countries, Cadu relies on the Standard Contractual Clauses adopted by the European Commission (Decision 2021/914) and, where applicable, the UK International Data Transfer Addendum, as the legal basis for the transfer. Details are available on the Sub-processors page.

8. Security measures

Cadu implements technical and organisational measures appropriate to the risk. A summary is set out in Annex 1 below. Cadu may update these measures over time provided that the updated measures do not materially decrease the level of protection.

9. Personal Data Breach notification

Cadu shall notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Data. The notification will, to the extent reasonably available, describe the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach.

Cadu will assist the Customer in fulfilling the Customer's own breach notification obligations to supervisory authorities and Data Subjects under Articles 33 and 34 of the GDPR.

10. Data Subject requests

If a Data Subject contacts Cadu directly regarding the exercise of their rights under the GDPR, Cadu will inform the Data Subject to contact the Customer and will forward the request to the Customer where reasonably practicable. Cadu will not respond to such requests itself unless authorised by the Customer.

Where the Customer cannot fulfil a Data Subject request through the Cadu service alone, Cadu will provide reasonable assistance to enable the Customer to respond, taking into account the nature of the Processing.

11. Audit rights

Cadu shall make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.

In practice, given the small scale of Cadu's operations and the nature of the service, audit rights will normally be satisfied by Cadu providing relevant documentation, certifications, and answers to reasonable questions. On-site audits will only be required where the Customer can demonstrate a specific concern that cannot otherwise be addressed, and shall be conducted at the Customer's cost on reasonable notice and during normal business hours.

12. Liability

The liability provisions of the Cadu Terms of Service apply to this DPA. Nothing in this DPA limits any liability that cannot be limited by applicable law.

13. Term and termination

This DPA takes effect when the Customer accepts the Cadu Terms of Service and remains in force for as long as Cadu Processes Personal Data on the Customer's behalf. On termination, Cadu shall delete or return Customer Data in accordance with Section 5.7 and the retention periods set out in the Privacy Policy.

14. Governing law

This DPA is governed by the laws of Romania, except where mandatory provisions of EU or local data protection law apply. Disputes shall be subject to the exclusive jurisdiction of the Romanian courts, without prejudice to a Data Subject's rights to bring a claim before their local supervisory authority or court.

15. Order of precedence

In the event of any conflict between this DPA and the Terms of Service, this DPA prevails with respect to the Processing of Personal Data on the Customer's behalf.

16. Contact

For data protection enquiries, including objections to Sub-processors and breach notifications, please contact privacy@cadu.app.

---

Annex 1 — Technical and organisational security measures

Encryption

• All data in transit between visitors and Customer websites is encrypted using TLS (HTTPS).
• All data in transit between Cadu and its Sub-processors is encrypted using TLS.
• Inbound WhatsApp messages benefit from WhatsApp's end-to-end encryption between the user and the Meta platform.

Access control

• Administrative access to Cadu's infrastructure is limited to authorised personnel and protected by strong authentication.
• API credentials and secrets are stored in a secrets manager, not in source code.
• Customer data isolation is enforced by per-customer Durable Object storage, ensuring that one Customer's data cannot be accessed by another Customer.

Resilience and backups

• Customer website source files are stored in version control, providing an audit trail and the ability to restore prior versions.
• Infrastructure runs on Cloudflare's global network with built-in redundancy.

Monitoring and incident response

• Cadu logs system errors and operational events to enable detection of anomalous activity.
• Cadu has an incident response process that includes the breach notification obligations set out in Section 9 of this DPA.

Data minimisation and retention

• Cadu only Processes the Personal Data necessary to provide the service.
• Retention periods are set out in the Privacy Policy. Personal Data is deleted at the end of the retention period unless required to be retained by law.

Sub-processors

• Cadu engages only Sub-processors that provide sufficient guarantees to implement appropriate technical and organisational measures, and binds them by written contract.

These measures may be updated over time as the service evolves, provided that the level of protection is not materially decreased.